Andrew C. Yao,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-642-13708-2_20

2010-01-01

Abstract:In this work, we develop a family of non-malleable and deniable Diffie-Hellman key-exchange (DHKE) protocols, named deniable Internet key-exchange (DIKE). The newly developed DIKE protocols are of conceptual clarity, provide much remarkable privacy protection to protocol participants, and are of highly practical (online) efficiency.For the security of the DIKE protocols, we formulate the notion of tag-based robust non-malleability (TBRNM) for DHKE protocols, which ensures robust non-malleability for DHKE protocols against concurrent man-in-the-middle (CMIM) adversaries and particularly implies concurrent forward deniability for both protocol participants. We show that the TBRNM security and the session-key security (SK-security) in accordance with the Canetti-Krawczyk framework are mutually complementary, thus much desirable to have DHKE protocols that enjoy both of them simultaneously. We prove our DIKE protocol indeed satisfies both (privacy preserving) TBRNM security and SK-security (with post-specified peers). The TBRNM analysis is based on a variant of the knowledge-of-exponent assumption (KEA), called concurrent KEA assumption introduced and clarified in this work, which might be of independent interest.

Andrew Chi-Chih Yao,Yunlei Zhao

DOI: https://doi.org/10.1145/2508859.2516695

2013-01-01

Abstract:Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in short) are a family of implicitly authenticated Diffie-Hellman key-exchange (DHKE) protocols that are among the most efficient and are widely standardized. In this work, from some new perspectives and under some new design rationales, and also inspired by the security analysis of HMQV, we develop a new family of practical implicitly authenticated DHKE (IA-DHKE) protocols, which enjoy notable performance among security, efficiency, privacy, fairness and easy deployment. We make detailed comparisons between our new protocols and (H)MQV, showing that the newly developed protocols outperform HMQV in most aspects. Very briefly speaking, we achieve: • The most efficient provably secure IA-DHKE protocol to date, and the first online-optimal provably secure IA-DHKE protocols. • The first IA-DHKE protocol that is provably secure, resilience to the leakage of DH components and exponents, under merely standard assumptions without additionally relying on the knowledge-of-exponent assumption (KEA). • The first provably secure privacy-preserving and computationally fair IA-DHKE protocol, with privacy-preserving properties of reasonable deniability and post-ID computability and the property of session-key computational fairness. Guided by our new design rationales, in this work we also formalize and introduce some new concept, say session-key computational fairness (as a complement to session-key security), to the literature.

Chun-Li Lin,Hung-Min Sun,Tzonelih Hwang

DOI: https://doi.org/10.1145/371455.371460

2001-01-01

Abstract:In 1992, Bellovin and Merritt proposed Encrypted Key Exchange (EKE) protocols for preventing dictionary attacks on weak chosen passwords. In 1995, Steiner, Tsudik, and Waidner proposed a minimal DHEKE protocol which simplified the Diffie-Hellman based one of Bellovin and Merritts' protocols. In this paper, we propose two improvements on the minimal DHEKE protocol. These two improvements can reduce the computational cost further.

Zhao Hu,Yuesheng Zhu,Limin Ma

DOI: https://doi.org/10.1109/icon.2012.6506591

2012-01-01

Abstract:Kerberos is a widely-used network authentication protocol based on a trusted third-party. PKINIT, an enhanced Kerberos protocol which uses PKI mechanism, can prevent the password guessing attack, however, it introduces excessive amount of computational power. To enhance the security performance and computation efficiency of Kerberos, in this paper an improved Kerberos protocol based on Diffie-Hellman-DSA (DH-DSA) key exchange is proposed. Mutual authentication and key exchange between the client and Authentication Server (AS) can be simultaneously achieved with the proposed approach. Our experimental and analysis results have demonstrated that this new protocol can resist the password guessing attack and is more efficient and easily deployed than PKINIT.

Victor Boyko,Philip MacKenzie,Sarvar Patel

DOI: https://doi.org/10.1007/3-540-45539-6_12

2000-01-01

Abstract:When designing password-authenticated key exchange protocols (as opposed to key exchange protocols authenticated using crypto-graphically secure keys), one must not allow any information to be leaked that would allow verification of the password (a weak shared key), since an attacker who obtains this information may be able to run an off-line dictionary attack to determine the correct password. We present a new protocol called PAK which is the first Diffie-Hellman-based password-authenticated key exchange protocol to provide a formal proof of security (in the random oracle model) against both passive and active adversaries. In addition to the PAK protocol that provides mutual explicit authentication, we also show a more efficient protocol called PPK that is provably secure in the implicit-authentication model. We then extend PAK to a protocol called PAK-X, in which one side (the client) stores a plaintext version of the password, while the other side (the server) only stores a verifier for the password. We formally prove security of PAK-X, even when the server is compromised. Our formal model for password-authenticated key exchange is new, and may be of independent interest.

Andrew C. Yao,Yunlei Zhao

IF: 4.755

2011-01-01

Clinical Orthopaedics and Related Research

Abstract: Cryptography algorithm standards play a key role both to the practice of information security and to cryptography theory research. Among them, the MQV and HMQV protocols ((H)MQV, in short) are a family of (implicitly authenticated) Diffie-Hellman key-exchange (DHKE) protocols that are widely standardized and deployed. In this work, from some new perspectives and approaches and under some new design rationales and insights, we develop a new family of practical implicitly authenticated DHKE protocols, which enjoy notable performance among security, privacy, efficiency and easy deployment. We make detailed comparisons between our new DHKE protocols and (H)MQV, showing that the newly developed protocols outperform HMQV in most aspects. Along the way, guided by our new design rationales, we also identify a new vulnerability (H)MQV, which brings some new perspectives (e.g., computational fairness) to the literature.

Huanhuan Lian,Tianyu Pan,Huige Wang,Yunlei Zhao

DOI: https://doi.org/10.1007/978-3-030-88428-4_32

2021-01-01

Abstract:Identity-based authenticated key exchange (ID-AKE) allows two parties (whose identities are just their public keys) to agree on a shared session key over open channels. At ESORICS 2019, Tomida et al. proposed a highly efficient ID-AKE protocol, referred to as the TFNS19-protocol, under the motivation of providing authentication and secure communication for huge number of low-power IoT devices. The TFNS19-protocol currently stands for the most efficient ID-AKE based on bilinear pairings, where each user remarkably performs only a single pairing operation. But it does not consider users' identity privacy, and the security is based on relatively non-standard assumptions. In this work, we formulate and design identity-based identity-concealed AKE (IB-CAKE) protocols. Here, identity concealment means that the session transcript does not leak users' identity information. We present a simple and highly practical IB-CAKE protocol, which is computationally more efficient than the remarkable TFNS19-protocol in total. We present a new security model for IB-CAKE, and show it is stronger than the ID-eCK model used for the TFNS19-protocol. The security of our IB-CAKE protocol is proved under relatively standard assumptions in the random oracle model, assuming the security of the underlying authenticated encryption and the gap bilinear Diffie-Hellman (Gap-BDH) problem. Finally, we provide the implementation results for the proposed IB-CAKE scheme, and present performance benchmark.

Jie Lin,Hoi-Kwong Lo,Jacob Johannsson,Mattia Montagna,Manfred von Willich

2024-07-31

Abstract:Pre-shared keys (PSK) have been widely used in network security. Nonetheless, existing PSK solutions are not scalable. Moreover, whenever a new user joins a network, PSK requires an existing user to get a new key before they are able to communicate with the new user. The key issue is how to distribute the PSK between different users. Here, we solve this problem by proposing a new protocol called Distributed Symmetric Key Establishment (DSKE). DSKE has the advantage of being scalable. Unlike standard public key infrastructure (PKI) which relies on computational assumptions, DSKE provides information-theoretic security in a universally composable security framework. Specifically, we prove the security (correctness and confidentiality) and robustness of this protocol against a computationally unbounded adversary, who additionally may have fully compromised a bounded number of the intermediaries and can eavesdrop on all communication. DSKE also achieves distributed trust through secret sharing. We present several implementations of DSKE in real environments, such as providing client services to link encryptors, network encryptors, and mobile phones, as well as the implementation of intermediaries, called Security Hubs, and associated test data as evidence for its versatility. As DSKE is highly scalable in a network setting with no distance limit, it is expected to be a cost-effective quantum-safe cryptographic solution to the network security threat presented by quantum computers.

Cryptography and Security,Quantum Physics

María Isabel González Vasco,Angel L. Pérez del Pozo,Claudio Soriente,Maria Isabel Gonzalez Vasco,Angel Perez Del Pozo

DOI: https://doi.org/10.1109/tdsc.2019.2919013

2019-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Anonymous Password-Authenticated Key Exchange ($sf{ APAKE}$APAKE) can be seen as the hybrid offspring of standard key exchange and anonymous password authentication protocols. $sf{ APAKE}$APAKE allows a client holding a low-entropy password to establish a session key with a server, provided that the client's password is in the server's set. Moreover, no information about the password input by the client or the set of valid passwords held by the server should leak to the other party–beyond whether the client's password lies or not in the server's password database. To the best of our knowledge, all $sf{ APAKE}$APAKE proposals to date either assume client storage or force the client to remember the index assigned to its password in the server's database. Furthermore, earlier works either provide only informal definitions or fail in some sense to properly model the primitive. In this paper, we provide a formal security model for $sf{ APAKE}$APAKE, capturing security and ano-ymity provisions for both clients and servers. In addition, we present two $sf{ APAKE}$APAKE protocols that only require clients to remember a password and that attain our sought key secrecy and anonymity guarantees. Our first protocol leverages oblivious pseudo-random functions, while the second one builds upon a special type of identity-based encryption scheme.

computer science, information systems, software engineering, hardware & architecture

Hu Xiong,Qianhong Wu,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-24861-0_6

2011-01-01

Abstract:Certificateless authenticated key exchange (CL-AKE) protocols do not suffer from intricate certificate management or heavy trust reliance on a third party. Unfortunately, these advantages are partially counteracted in most CL-AKE protocols which require expensive pairing operations. This paper proposes a new CL-AKE protocol without requiring any pairing operation during the protocol execution, although a pairing map may be required to realize a Decisional Diffie-Hellman (DDH) oracle in the security proof. With implicit authentication, we illustrate modular proofs in a security model incorporating standard definitions of AKE protocols and certificateless cryptography. Analysis shows that our protocol is also efficient.

Amit Kumar Roy,Keshab Nath,Gautam Srivastava,Thippa Reddy Gadekallu,Jerry Chun-Wei Lin

DOI: https://doi.org/10.3390/s22051958

IF: 3.9

2022-03-02

Sensors

Abstract:Presently, lightweight devices such as mobile phones, notepads, and laptops are widely used to access the Internet throughout the world; however, a problem of privacy preservation and authentication delay occurs during handover operation when these devices change their position from a home mesh access point (HMAP) to a foreign mesh access point (FMAP). Authentication during handover is mostly performed through ticket-based techniques, which permit the user to authenticate itself to the foreign mesh access point; therefore, a secure communication method should be formed between the mesh entities to exchange the tickets. In two existing protocols, this ticket was not secured at all and exchanged in a plaintext format. We propose a protocol for handover authentication with privacy preservation of the transfer ticket via the Diffie–Hellman method. Through experimental results, our proposed protocol achieves privacy preservation with minimum authentication delay during handover operation.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chun-Li Lin,Hung-Min Sun,Tzonelih Hwang

DOI: https://doi.org/10.1145/506106.506108

2000-01-01

ACM SIGOPS Operating Systems Review

Abstract:Password-based mechanism is the widely used method for authentication since it allows people to choose their own passwords without any assistant device to generate or store. However, people are used to choose easy-to-remember passwords such that guessing attacks could succeed. In 1992, Bellovin and Merritt proposed Encrypted Key Exchange (EKE) protocols for preventing guessing attacks, in which two communication parties A and B securely share a possibly weak password in advance. In large communication environments, it is inconvenient in key management that every two communication parties mutually share a secret. Three-party EKE protocols, in which all parties (clients) share their secrets with a trusted server only, are more suitable for large communication environments. In 1995, Steiner, Tsudik and Waidner proposed a realization of three-party EKE protocol which is later demonstrated that it is vulnerable to undetectable on-line guessing attacks. In this paper, We will show a new off-line guessing attack on Steiner, Tsudik and Waidners' protocol. Besides, we will also propose a new three-party EKE protocol which not only is secure against both the off-line guessing attack and undetectable on-line guessing attacks but also satisfies the security properties of perfect forward secrecy and known-key security.

CL Lin,HM Sun,M Steiner,T Hwang

DOI: https://doi.org/10.1016/j.cose.2004.06.007

IF: 5.105

2004-01-01

Computers & Security

Abstract:Three-party key-exchange protocols with password authentication-clients share an easy-to-remember password with a trusted server only-are very suitable for applications requiring secure communications between many light-weight clients (end users); it is simply impractical that every two clients share a common secret. Steiner, Tsudik and Waidner (1995) proposed a realization of such a three-party protocol based on the encrypted key exchange (EKE) protocols. However, their protocol was later demonstrated to be vulnerable to off-line and undetectable on-line guessing attacks. Lin, Sun and Hwang (see ACM Operating Syst. Rev., vol.34, no. 4, p.12-20, 2000) proposed a secure three-party protocol with server public-keys. However, the approach of using server public-keys is not always a satisfactory solution and is impractical for some environments. We propose a secure three-party EKE protocol without server public-keys.

Jie Lin,Manfred von Willich,Hoi-Kwong Lo

2024-07-30

Abstract:The Distributed Symmetric Key Establishment (DSKE) protocol provides secure secret exchange (e.g., for key exchange) between two honest parties that need not have had prior contact, and use intermediaries with whom they each securely share confidential data. We show the composable security of the DSKE protocol in the constructive cryptography framework of Maurer. Specifically, we prove the security (correctness and confidentiality) and robustness of this protocol against any computationally unbounded adversary, who additionally may have fully compromised a bounded number of the intermediaries and can eavesdrop on all communication. As DSKE is highly scalable in a network setting with no distance limit, it is expected to be a cost-effective quantum-safe cryptographic solution to safeguarding the network security against the threat of quantum computers.

Cryptography and Security,Quantum Physics

Jiang Zhang,Zhenfeng Zhang,Jintai Ding,Michael Snook,Oezguer Dagdelen

DOI: https://doi.org/10.1007/978-3-662-46803-6_24

2015-01-01

Abstract:In this paper, we present a practical and provably secure two-pass AKE protocol from ideal lattices, which is conceptually simple and has similarities to the Diffie-Hellman based protocols such as HMQV (CRYPTO 2005) and OAKE (CCS 2013). Our protocol does not rely on other cryptographic primitives—in particular, it does not use signatures—simplifying the protocol and resting the security solely on the hardness of the ring learning with errors problem. The security is proven in the Bellare-Rogaway model with weak perfect forward secrecy. We also give a one-pass variant of our two-pass protocol, which might be appealing in specific applications. Several concrete choices of parameters are provided, and a proof-of-concept implementation shows that our protocols are indeed practical.

Rui Zhang,Lei Zhang

2024-07-13

Abstract:Non-interactive key exchange (NIKE) enables two or multiple parties (just knowing the public system parameters and each other's public key) to derive a (group) session key without the need for interaction. Recently, NIKE in multi-party settings has been attached importance. However, we note that most existing multi-party NIKE protocols, underlying costly cryptographic techniques (i.e., multilinear maps and indistinguishability obfuscation), lead to high computational costs once employed in practice. Therefore, it is a challenging task to achieve multi-party NIKE protocols by using more practical cryptographic primitives. In this paper, we propose a secure and efficient NIKE protocol for secure communications in dynamic groups, whose construction only bases on bilinear maps. This protocol allows multiple parties to negotiate asymmetric group keys (a public group encryption key and each party's decryption key) without any interaction among one another. Additionally, the protocol supports updating of group keys in an efficient and non-interactive way once any party outside a group or any group member joins or leaves the group. Further, any party called a sender (even outside a group) intending to connect with some or all of group members called receivers in a group, just needs to generate a ciphertext with constant size under the public group encryption key, and only the group member who is the real receiver can decrypt the ciphertext to obtain the session key. We prove our protocol captures the correctness and indistinguishability of session key under k-Bilinear Diffie-Hellman exponent (k-BDHE) assumption. Efficiency evaluation shows the efficiency of our protocol.

Cryptography and Security

Haochen M. Kotoi-Xie,Takumi Moriyama

2024-04-16

Abstract:In this writing, we introduce a novel biometric-authenticated key exchange protocol that allows secure and privacy-preserving key establishment between a stateless biometric sensing system and a "smart" user token that possesses biometric templates of the user. The protocol yields a shared secret incorporating random nonce from both parties when they positively authenticate each other. Mutual positive authentication here is defined as when the feature vector calculated from the sensor data captured by the biometric sensing system only differs from the feature vector stored as the biometric template within the user token by less than a predefined threshold. The parties exchange only randomized data and cryptographically derived verifiers; no significant information regarding the vectors is ever exchanged. The protocol essentially utilizes the BBKDF scheme for feature vector matching, and as a result, the threshold is compared per component of the two vectors to be matched. This fact makes it straightforward to employ multiple biometric modalities. The protocol also allows online authentication where the biometric sensing system can potentially send multiple queries derived from different sensor data samples, in one or more rounds. The protocol is designed in such a way that the user token can very efficiently answer a multitude of such queries. This makes the protocol especially suitable for interactive systems while posing a minimal computational burden on the user token. The biometric sensing system can be made stateless, i.e. user registration in advance is not required. Furthermore, the protocol is bidirectionally privacy-preserving in the sense that unless mutual authentication is achieved first, neither the biometric sensing system, nor the user token can gain useful information, respectively regarding the biometric template, or sensor-data-derived feature vectors.

Cryptography and Security

Jíntai Ding,Pedro Branco,Kevin Schmitt

2019-01-01

Abstract:Key Exchange (KE) is, undoubtedly, one of the most used cryptographic primitives in practice. Its authenticated version, Authenticated Key Exchange (AKE), avoids man-in-the-middle-based attacks by providing authentication for both parties involved. It is widely used on the Internet, in protocols such as TLS or SSH. In this work, we provide new constructions for KE and AKE based on ideal lattices in the Random Oracle Model (ROM). The contributions of this work can be summarized as follows: • It is well-known that RLWE-based KE protocols are not robust for key reuses since the signal function leaks information about the secret key. We modify the design of previous RLWE-based KE schemes to allow key reuse in the ROM. Our construction makes use of a new technique called pasteurization which enforces a supposedly RLWE sample sent by the other party to be indeed indistinguishable from a uniform sample and, therefore, ensures no information leakage in the whole KE process. • We build a new AKE scheme based on the construction above. The scheme provides implicit authentication (that is, it does not require the use of any other authentication mechanism, like a signature scheme) and it is proven secure in the Bellare-Rogaway model with weak Perfect Forward Secrecy in the ROM. It improves previous designs for AKE schemes based on lattices in several aspects. Our construction just requires sampling from only one discrete Gaussian distribution and avoids rejection sampling and noise flooding techniques, unlike previous proposals (Zhang et al., EUROCRYPT 2015). Thus, the scheme is much more efficient than previous constructions in terms of computational and communication complexity. Since our constructions are provably secure assuming the hardness of the RLWE problem, they are considered to be robust against quantum adversaries and, thus, suitable for post-quantum applications. ∗Email: pmbranco@math.tecnico.ulisboa.pt

David P. Jablon

DOI: https://doi.org/10.1145/242896.242897

IF: 1.937

1996-10-01

ACM SIGCOMM Computer Communication Review

Abstract:A new simple password exponential key exchange method (SPEKE) is described. It belongs to an exclusive class of methods which provide authentication and key establishment over an insecure channel using only a small password, without risk of offline dictionary attack. SPEKE and the closely-related Diffie-Hellman Encrypted Key Exchange (DH-EKE) are examined in light of both known and new attacks, along with sufficient preventive constraints. Although SPEKE and DH-EKE are similar, the constraints are different. The class of strong password-only methods is compared to other authentication schemes. Benefits, limitations, and tradeoffs between efficiency and security are discussed. These methods are important for several uses, including replacement of obsolete systems, and building hybrid two-factor systems where independent password-only and key-based methods can survive a single event of either key theft or password compromise.

computer science, information systems

Hoi-Kwong Lo,Mattia Montagna,Manfred von Willich

2024-07-30

Abstract:We propose and implement a protocol for a scalable, cost-effective, information-theoretically secure key distribution and management system. The system, called Distributed Symmetric Key Establishment (DSKE), relies on pre-shared random numbers between DSKE clients and a group of Security Hubs. Any group of DSKE clients can use the DSKE protocol to distill from the pre-shared numbers a secret key. The clients are protected from Security Hub compromise via a secret sharing scheme that allows the creation of the final key without the need to trust individual Security Hubs. Precisely, if the number of compromised Security Hubs does not exceed a certain threshold, confidentiality is guaranteed to DSKE clients and, at the same time, robustness against denial-of-service (DoS) attacks. The DSKE system can be used for quantum-secure communication, can be easily integrated into existing network infrastructures, and can support arbitrary groups of communication parties that have access to a key. We discuss the high-level protocol, analyze its security, including its robustness against disruption. A proof-of-principle demonstration of secure communication between two distant clients with a DSKE-based VPN using Security Hubs on Amazon Web Server (AWS) nodes thousands of kilometres away from them was performed, demonstrating the feasibility of DSKE-enabled secret sharing one-time-pad encryption with a data rate above 50 Mbit/s and a latency below 70 ms.

Quantum Physics,Cryptography and Security